[Git][xorg-team/xserver/xorg-server][debian-unstable] 2 commits: composite: Fix use-after-free of the COW

Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver / xorg-server

Commits:

80c6923d

by Olivier Fourdan at 2023-03-29T15:10:10+02:00

composite: Fix use-after-free of the COW

ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 26ef545b3502f61ca722a7a3373507e88ef64110)

55908a43
by Julien Cristau at 2023-03-29T15:11:30+02:00
```
Upload to unstable
```

Changes:

composite/compwindow.c

@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
      ret = (*pScreen->DestroyWindow) (pWin);
      cs->DestroyWindow = pScreen->DestroyWindow;
      pScreen->DestroyWindow = compDestroyWindow;
++
 +    /* Did we just destroy the overlay window? */
 +    if (pWin == cs->pOverlayWin)
 +        cs->pOverlayWin = NULL;
++
  /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
      return ret;
+ }

debian/changelog

 +xorg-server (2:21.1.7-2) unstable; urgency=high
++
 +  * composite: Fix use-after-free of the COW
 +    ZDI-CAN-19866/CVE-2023-1393
++
 + -- Julien Cristau <jcristau@debian.org>  Wed, 29 Mar 2023 15:11:07 +0200
++
  xorg-server (2:21.1.7-1) unstable; urgency=medium
    * New upstream release